
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="zh_Hans">
  <head>
    <meta http-equiv="X-UA-Compatible" content="IE=Edge" />
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Django 3.1.1 release notes &#8212; Django 3.2.6.dev 文档</title>
    <link rel="stylesheet" href="../_static/default.css" type="text/css" />
    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
    <script type="text/javascript" id="documentation_options" data-url_root="../" src="../_static/documentation_options.js"></script>
    <script type="text/javascript" src="../_static/jquery.js"></script>
    <script type="text/javascript" src="../_static/underscore.js"></script>
    <script type="text/javascript" src="../_static/doctools.js"></script>
    <script type="text/javascript" src="../_static/language_data.js"></script>
    <link rel="index" title="索引" href="../genindex.html" />
    <link rel="search" title="搜索" href="../search.html" />
    <link rel="next" title="Django 3.1 release notes" href="3.1.html" />
    <link rel="prev" title="Django 3.1.2 release notes" href="3.1.2.html" />



 
<script src="../templatebuiltins.js"></script>
<script>
(function($) {
    if (!django_template_builtins) {
       // templatebuiltins.js missing, do nothing.
       return;
    }
    $(document).ready(function() {
        // Hyperlink Django template tags and filters
        var base = "../ref/templates/builtins.html";
        if (base == "#") {
            // Special case for builtins.html itself
            base = "";
        }
        // Tags are keywords, class '.k'
        $("div.highlight\\-html\\+django span.k").each(function(i, elem) {
             var tagname = $(elem).text();
             if ($.inArray(tagname, django_template_builtins.ttags) != -1) {
                 var fragment = tagname.replace(/_/, '-');
                 $(elem).html("<a href='" + base + "#" + fragment + "'>" + tagname + "</a>");
             }
        });
        // Filters are functions, class '.nf'
        $("div.highlight\\-html\\+django span.nf").each(function(i, elem) {
             var filtername = $(elem).text();
             if ($.inArray(filtername, django_template_builtins.tfilters) != -1) {
                 var fragment = filtername.replace(/_/, '-');
                 $(elem).html("<a href='" + base + "#" + fragment + "'>" + filtername + "</a>");
             }
        });
    });
})(jQuery);</script>

  </head><body>

    <div class="document">
  <div id="custom-doc" class="yui-t6">
    <div id="hd">
      <h1><a href="../index.html">Django 3.2.6.dev 文档</a></h1>
      <div id="global-nav">
        <a title="Home page" href="../index.html">Home</a>  |
        <a title="Table of contents" href="../contents.html">Table of contents</a>  |
        <a title="Global index" href="../genindex.html">Index</a>  |
        <a title="Module index" href="../py-modindex.html">Modules</a>
      </div>
      <div class="nav">
    &laquo; <a href="3.1.2.html" title="Django 3.1.2 release notes">previous</a>
     |
    <a href="index.html" title="Release notes" accesskey="U">up</a>
   |
    <a href="3.1.html" title="Django 3.1 release notes">next</a> &raquo;</div>
    </div>

    <div id="bd">
      <div id="yui-main">
        <div class="yui-b">
          <div class="yui-g" id="releases-3.1.1">
            
  <div class="section" id="s-django-3-1-1-release-notes">
<span id="django-3-1-1-release-notes"></span><h1>Django 3.1.1 release notes<a class="headerlink" href="#django-3-1-1-release-notes" title="永久链接至标题">¶</a></h1>
<p><em>September 1, 2020</em></p>
<p>Django 3.1.1 fixes two security issues and several bugs in 3.1.</p>
<div class="section" id="s-cve-2020-24583-incorrect-permissions-on-intermediate-level-directories-on-python-3-7">
<span id="cve-2020-24583-incorrect-permissions-on-intermediate-level-directories-on-python-3-7"></span><h2>CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+<a class="headerlink" href="#cve-2020-24583-incorrect-permissions-on-intermediate-level-directories-on-python-3-7" title="永久链接至标题">¶</a></h2>
<p>On Python 3.7+, <a class="reference internal" href="../ref/settings.html#std:setting-FILE_UPLOAD_DIRECTORY_PERMISSIONS"><code class="xref std std-setting docutils literal notranslate"><span class="pre">FILE_UPLOAD_DIRECTORY_PERMISSIONS</span></code></a> mode was not
applied to intermediate-level directories created in the process of uploading
files and to intermediate-level collected static directories when using the
<a class="reference internal" href="../ref/contrib/staticfiles.html#django-admin-collectstatic"><code class="xref std std-djadmin docutils literal notranslate"><span class="pre">collectstatic</span></code></a> management command.</p>
<p>You should review and manually fix permissions on existing intermediate-level
directories.</p>
</div>
<div class="section" id="s-cve-2020-24584-permission-escalation-in-intermediate-level-directories-of-the-file-system-cache-on-python-3-7">
<span id="cve-2020-24584-permission-escalation-in-intermediate-level-directories-of-the-file-system-cache-on-python-3-7"></span><h2>CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+<a class="headerlink" href="#cve-2020-24584-permission-escalation-in-intermediate-level-directories-of-the-file-system-cache-on-python-3-7" title="永久链接至标题">¶</a></h2>
<p>On Python 3.7+, the intermediate-level directories of the file system cache had
the system's standard umask rather than <code class="docutils literal notranslate"><span class="pre">0o077</span></code> (no group or others
permissions).</p>
</div>
<div class="section" id="s-bugfixes">
<span id="bugfixes"></span><h2>Bugfixes<a class="headerlink" href="#bugfixes" title="永久链接至标题">¶</a></h2>
<ul class="simple">
<li>Fixed wrapping of translated action labels in the admin's navigation sidebar
for East Asian languages (<a class="reference external" href="https://code.djangoproject.com/ticket/31853">#31853</a>).</li>
<li>Fixed wrapping of long model names in the admin's navigation sidebar
(<a class="reference external" href="https://code.djangoproject.com/ticket/31854">#31854</a>).</li>
<li>Fixed encoding session data while upgrading multiple instances of the same
project to Django 3.1 (<a class="reference external" href="https://code.djangoproject.com/ticket/31864">#31864</a>).</li>
<li>Adjusted admin's navigation sidebar template to reduce debug logging when
rendering (<a class="reference external" href="https://code.djangoproject.com/ticket/31865">#31865</a>).</li>
<li>Fixed a data loss possibility in the
<a class="reference internal" href="../ref/models/querysets.html#django.db.models.query.QuerySet.select_for_update" title="django.db.models.query.QuerySet.select_for_update"><code class="xref py py-meth docutils literal notranslate"><span class="pre">select_for_update()</span></code></a>. When using
related fields pointing to a proxy model in the <code class="docutils literal notranslate"><span class="pre">of</span></code> argument, the
corresponding model was not locked (<a class="reference external" href="https://code.djangoproject.com/ticket/31866">#31866</a>).</li>
<li>Fixed a data loss possibility, following a regression in Django 2.0, when
copying model instances with a cached fields value (<a class="reference external" href="https://code.djangoproject.com/ticket/31863">#31863</a>).</li>
<li>Fixed a regression in Django 3.1 that caused a crash when decoding an invalid
session data (<a class="reference external" href="https://code.djangoproject.com/ticket/31895">#31895</a>).</li>
<li>Reverted a deprecation in Django 3.1 that caused a crash when passing
deprecated keyword arguments to a queryset in
<code class="docutils literal notranslate"><span class="pre">TemplateView.get_context_data()</span></code> (<a class="reference external" href="https://code.djangoproject.com/ticket/31877">#31877</a>).</li>
<li>Enforced thread sensitivity of the <a class="reference internal" href="../topics/http/middleware.html#django.utils.deprecation.MiddlewareMixin" title="django.utils.deprecation.MiddlewareMixin"><code class="xref py py-class docutils literal notranslate"><span class="pre">MiddlewareMixin.process_request()</span></code></a> and <code class="docutils literal notranslate"><span class="pre">process_response()</span></code> hooks
when in an async context (<a class="reference external" href="https://code.djangoproject.com/ticket/31905">#31905</a>).</li>
<li>Fixed <code class="docutils literal notranslate"><span class="pre">__in</span></code> lookup on key transforms for
<a class="reference internal" href="../ref/models/fields.html#django.db.models.JSONField" title="django.db.models.JSONField"><code class="xref py py-class docutils literal notranslate"><span class="pre">JSONField</span></code></a> with MariaDB, MySQL, Oracle, and SQLite
(<a class="reference external" href="https://code.djangoproject.com/ticket/31936">#31936</a>).</li>
<li>Fixed a regression in Django 3.1 that caused permission errors in
<code class="docutils literal notranslate"><span class="pre">CommonPasswordValidator</span></code> and <code class="docutils literal notranslate"><span class="pre">settings.py</span></code> generated by the
<a class="reference internal" href="../ref/django-admin.html#django-admin-startproject"><code class="xref std std-djadmin docutils literal notranslate"><span class="pre">startproject</span></code></a> command, when user didn't have permissions to all
intermediate directories in a Django installation path (<a class="reference external" href="https://code.djangoproject.com/ticket/31912">#31912</a>).</li>
<li>Fixed detecting an async <code class="docutils literal notranslate"><span class="pre">get_response</span></code> callable in various builtin
middlewares (<a class="reference external" href="https://code.djangoproject.com/ticket/31928">#31928</a>).</li>
<li>Fixed a <code class="docutils literal notranslate"><span class="pre">QuerySet.order_by()</span></code> crash on PostgreSQL when ordering and
grouping by <a class="reference internal" href="../ref/models/fields.html#django.db.models.JSONField" title="django.db.models.JSONField"><code class="xref py py-class docutils literal notranslate"><span class="pre">JSONField</span></code></a> with a custom
<a class="reference internal" href="../ref/models/fields.html#django.db.models.JSONField.decoder" title="django.db.models.JSONField.decoder"><code class="xref py py-attr docutils literal notranslate"><span class="pre">decoder</span></code></a> (<a class="reference external" href="https://code.djangoproject.com/ticket/31956">#31956</a>). As a
consequence, fetching a <code class="docutils literal notranslate"><span class="pre">JSONField</span></code> with raw SQL now returns a string
instead of pre-loaded data. You will need to explicitly call <code class="docutils literal notranslate"><span class="pre">json.loads()</span></code>
in such cases.</li>
<li>Fixed a <code class="docutils literal notranslate"><span class="pre">QuerySet.delete()</span></code> crash on MySQL, following a performance
regression in Django 3.1 on MariaDB 10.3.2+, when filtering against an
aggregate function (<a class="reference external" href="https://code.djangoproject.com/ticket/31965">#31965</a>).</li>
<li>Fixed a <code class="docutils literal notranslate"><span class="pre">django.contrib.admin.EmptyFieldListFilter</span></code> crash when using on
reverse relations (<a class="reference external" href="https://code.djangoproject.com/ticket/31952">#31952</a>).</li>
<li>Prevented content overflowing in the admin changelist view when the
navigation sidebar is enabled (<a class="reference external" href="https://code.djangoproject.com/ticket/31901">#31901</a>).</li>
</ul>
</div>
</div>


          </div>
        </div>
      </div>
      
        
          <div class="yui-b" id="sidebar">
            
      <div class="sphinxsidebar" role="navigation" aria-label="main navigation">
        <div class="sphinxsidebarwrapper">
  <h3><a href="../contents.html">Table of Contents</a></h3>
  <ul>
<li><a class="reference internal" href="#">Django 3.1.1 release notes</a><ul>
<li><a class="reference internal" href="#cve-2020-24583-incorrect-permissions-on-intermediate-level-directories-on-python-3-7">CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+</a></li>
<li><a class="reference internal" href="#cve-2020-24584-permission-escalation-in-intermediate-level-directories-of-the-file-system-cache-on-python-3-7">CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+</a></li>
<li><a class="reference internal" href="#bugfixes">Bugfixes</a></li>
</ul>
</li>
</ul>

  <h4>上一个主题</h4>
  <p class="topless"><a href="3.1.2.html"
                        title="上一章">Django 3.1.2 release notes</a></p>
  <h4>下一个主题</h4>
  <p class="topless"><a href="3.1.html"
                        title="下一章">Django 3.1 release notes</a></p>
  <div role="note" aria-label="source link">
    <h3>本页</h3>
    <ul class="this-page-menu">
      <li><a href="../_sources/releases/3.1.1.txt"
            rel="nofollow">显示源代码</a></li>
    </ul>
   </div>
<div id="searchbox" style="display: none" role="search">
  <h3>快速搜索</h3>
    <div class="searchformwrapper">
    <form class="search" action="../search.html" method="get">
      <input type="text" name="q" />
      <input type="submit" value="转向" />
      <input type="hidden" name="check_keywords" value="yes" />
      <input type="hidden" name="area" value="default" />
    </form>
    </div>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
        </div>
      </div>
              <h3>Last update:</h3>
              <p class="topless">7月 23, 2021</p>
          </div>
        
      
    </div>

    <div id="ft">
      <div class="nav">
    &laquo; <a href="3.1.2.html" title="Django 3.1.2 release notes">previous</a>
     |
    <a href="index.html" title="Release notes" accesskey="U">up</a>
   |
    <a href="3.1.html" title="Django 3.1 release notes">next</a> &raquo;</div>
    </div>
  </div>

      <div class="clearer"></div>
    </div>
  </body>
</html>